我看了一下,完整的sub_95c0是
0x000095c0 push {r4, r5, r6, r7, lr} ; XREF=0x40ac, sub_c2c02c+34, sub_c2c02c+38, sub_c2c02c+42, sub_c38ee8+18, sub_c3ceec+72, sub_c3ceec+616, sub_c55964+28, sub_c55bc4+62, sub_c55bc4+134, sub_c55bc4+188
0x000095c2 add r7, sp, #0xc
0x000095c4 str r8, [sp, #0xfffffffc]! ; XREF=sub_d97a1c+74
0x000095c8 mov r8, r1 ; XREF=sub_c4c084+48, sub_c54c8c+200, sub_c54c8c+204, sub_c54c8c+2030, sub_c54c8c+2038
0x000095ca mov r5, r0
0x000095cc movs r0, #0x0 ; argument #1 for method imp___picsymbolstub4__dlopen, XREF=sub_c3caa8+46, sub_c54c8c+146, sub_c54c8c+150
0x000095ce movs r1, #0xa ; XREF=sub_c3c93c+12, sub_c3caf4+28, sub_c3caf4+36
0x000095d0 blx imp___picsymbolstub4__dlopen
0x000095d4 movw r1, #0x27de ; "ptrace", :lower16:(0xf2bdc0 - 0x95e2)
0x000095d8 mov r6, r0
0x000095da movt r1, #0xf2 ; "ptrace", :upper16:(0xf2bdc0 - 0x95e2)
0x000095de add r1, pc ; "ptrace"
0x000095e0 blx imp___picsymbolstub4__dlsym
0x000095e4 mov r4, r0 ; XREF=sub_c54c8c+138, sub_c54c8c+142
0x000095e6 movs r0, #0x1f
0x000095e8 movs r1, #0x0
0x000095ea movs r2, #0x0
0x000095ec movs r3, #0x0
0x000095ee blx r4
0x000095f0 mov r0, r6
0x000095f2 blx imp___picsymbolstub4__dlclose
0x000095f6 movw r0, #0xb16a ; @selector(alloc), :lower16:(0x1474774 - 0x960a)
0x000095fa movt r0, #0x146 ; @selector(alloc), :upper16:(0x1474774 - 0x960a)
0x000095fe movw r2, #0x3fa8 ; :lower16:(objc_cls_ref_NSAutoreleasePool - 0x960c), XREF=sub_c54c8c+118, sub_c54c8c+124
0x00009602 movt r2, #0x148 ; :upper16:(objc_cls_ref_NSAutoreleasePool - 0x960c)
0x00009606 add r0, pc ; @selector(alloc), XREF=sub_dcbcec+58
0x00009608 add r2, pc ; objc_cls_ref_NSAutoreleasePool
0x0000960a ldr r1, [r0] ; "alloc",@selector(alloc), argument #2 for method imp___picsymbolstub4__objc_msgSend
0x0000960c ldr r0, [r2] ; objc_cls_ref_NSAutoreleasePool,_OBJC_CLASS_$_NSAutoreleasePool
0x0000960e blx imp___picsymbolstub4__objc_msgSend
0x00009612 movw r1, #0xb15a ; @selector(init), :lower16:(0x1474778 - 0x961e)
0x00009616 movt r1, #0x146 ; @selector(init), :upper16:(0x1474778 - 0x961e)
0x0000961a add r1, pc ; @selector(init)
0x0000961c ldr r1, [r1] ; "init",@selector(init)
0x0000961e blx imp___picsymbolstub4__objc_msgSend
0x00009622 mov r4, r0
0x00009624 movw r0, #0xb144 ; @selector(class), :lower16:(0x147477c - 0x9638)
0x00009628 movt r0, #0x146 ; @selector(class), :upper16:(0x147477c - 0x9638)
0x0000962c movw r2, #0x3f7e ; :lower16:(objc_cls_ref_AMapiPhoneAppDelegate - 0x963a)
0x00009630 movt r2, #0x148 ; :upper16:(objc_cls_ref_AMapiPhoneAppDelegate - 0x963a)
0x00009634 add r0, pc ; @selector(class)
0x00009636 add r2, pc ; objc_cls_ref_AMapiPhoneAppDelegate
0x00009638 ldr r1, [r0] ; "class",@selector(class), argument #2 for method imp___picsymbolstub4__objc_msgSend
0x0000963a ldr r0, [r2] ; objc_cls_ref_AMapiPhoneAppDelegate,objc_class_AMapiPhoneAppDelegate
0x0000963c blx imp___picsymbolstub4__objc_msgSend
0x00009640 blx imp___picsymbolstub4__NSStringFromClass
0x00009644 mov r3, r0 ; XREF=sub_c72f84+54
0x00009646 mov r0, r5
0x00009648 mov r1, r8
0x0000964a movs r2, #0x0
0x0000964c blx imp___picsymbolstub4__UIApplicationMain
0x00009650 mov r5, r0
0x00009652 movw r0, #0xb122 ; @selector(release), :lower16:(0x1474780 - 0x965e)
0x00009656 movt r0, #0x146 ; @selector(release), :upper16:(0x1474780 - 0x965e)
0x0000965a add r0, pc ; @selector(release)
0x0000965c ldr r1, [r0] ; "release",@selector(release), argument #2 for method imp___picsymbolstub4__objc_msgSend
0x0000965e mov r0, r4
0x00009660 blx imp___picsymbolstub4__objc_msgSend
0x00009664 mov r0, r5
0x00009666 ldr r8, [sp], #0x4
0x0000966a pop {r4, r5, r6, r7, pc}
注意,与原帖不同,sub_95c0除了调用ptrace来反动态调试外,还做了一些其他的初始化操作。你hook了这个函数后,需要手动把除ptrace外的操作给执行一下,才能让程序正常运行